From 578d62aea57e106bbb79e3c3e6a18aa58fbbe99f Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 8 Feb 2012 16:49:25 +0100
Subject: Bug 722161: Clickjacking is possible in "View All" with HTML
 attachments r=dkl a=LpSolit

---
 .../en/default/attachment/show-multiple.html.tmpl    | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'template/en/default/attachment')

diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index 64b6ce767..8791e0dfe 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -75,10 +75,22 @@
   </table>
 
   [% IF a.is_viewable %]
-    <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
-      <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
-      <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
-    </iframe>
+    [% IF a.contenttype == "text/html" %]
+      [%# For security reasons (clickjacking, embedded scripts), we never
+        # render HTML pages from here. The source code is displayed instead. %]
+      [% INCLUDE global/textarea.html.tmpl
+         minrows = 10
+         cols    = 80
+         defaultcontent = a.data
+         readonly = 'readonly'
+         classes = 'viewall_frame'
+      %]
+    [% ELSE %]
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
+        <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
+        <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
+      </iframe>
+    [% END %]
   [% ELSE %]
     <p><b>
       Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.
-- 
cgit v1.2.3-24-g4f1b